auto update script executed

api.go

@@ -55,6 +55,7 @@ func initAPIs() {
 
 	//TLS / SSL config
 	authRouter.HandleFunc("/api/cert/tls", handleToggleTLSProxy)
+	authRouter.HandleFunc("/api/cert/tlsRequireLatest", handleSetTlsRequireLatest)
 	authRouter.HandleFunc("/api/cert/upload", handleCertUpload)
 	authRouter.HandleFunc("/api/cert/list", handleListCertificate)
 	authRouter.HandleFunc("/api/cert/checkDefault", handleDefaultCertCheck)

cert.go

@@ -130,6 +130,33 @@ func handleToggleTLSProxy(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// Handle the GET and SET of reverse proxy TLS versions
+func handleSetTlsRequireLatest(w http.ResponseWriter, r *http.Request) {
+	newState, err := utils.PostPara(r, "set")
+	if err != nil {
+		//GET
+		var reqLatestTLS bool = false
+		if sysdb.KeyExists("settings", "forceLatestTLS") {
+			sysdb.Read("settings", "forceLatestTLS", &reqLatestTLS)
+		}
+
+		js, _ := json.Marshal(reqLatestTLS)
+		utils.SendJSONResponse(w, string(js))
+	} else {
+		if newState == "true" {
+			sysdb.Write("settings", "forceLatestTLS", true)
+			log.Println("Updating minimum TLS version to v1.2 or above")
+			dynamicProxyRouter.UpdateTLSVersion(true)
+		} else if newState == "false" {
+			sysdb.Write("settings", "forceLatestTLS", false)
+			log.Println("Updating minimum TLS version to v1.0 or above")
+			dynamicProxyRouter.UpdateTLSVersion(false)
+		} else {
+			utils.SendErrorResponse(w, "invalid state given")
+		}
+	}
+}
+
 // Handle upload of the certificate
 func handleCertUpload(w http.ResponseWriter, r *http.Request) {
 	// check if request method is POST

mod/dynamicproxy/dynamicproxy.go

@@ -45,6 +45,13 @@ func (router *Router) UpdateTLSSetting(tlsEnabled bool) {
 	router.Restart()
 }
 
+// Update TLS Version in runtime. Will restart proxy server if running.
+// Set this to true to force TLS 1.2 or above
+func (router *Router) UpdateTLSVersion(requireLatest bool) {
+	router.Option.ForceTLSLatest = requireLatest
+	router.Restart()
+}
+
 // Update https redirect, which will require updates
 func (router *Router) UpdateHttpToHttpsRedirectSetting(useRedirect bool) {
 	router.Option.ForceHttpsRedirect = useRedirect
@@ -62,9 +69,13 @@ func (router *Router) StartProxyService() error {
 		return errors.New("Reverse proxy router root not set")
 	}
 
+	minVersion := tls.VersionTLS10
+	if router.Option.ForceTLSLatest {
+		minVersion = tls.VersionTLS12
+	}
 	config := &tls.Config{
 		GetCertificate: router.Option.TlsManager.GetCert,
-		//MinVersion:     tls.VersionTLS12,
+		MinVersion:     uint16(minVersion),
 	}
 
 	if router.Option.UseTls {
@@ -172,18 +183,22 @@ func (router *Router) StopProxyService() error {
 }
 
 // Restart the current router if it is running.
-// Startup the server if it is not running initially
 func (router *Router) Restart() error {
 	//Stop the router if it is already running
+	var err error = nil
 	if router.Running {
 		err := router.StopProxyService()
 		if err != nil {
 			return err
 		}
+
+		// Start the server
+		err = router.StartProxyService()
+		if err != nil {
+			return err
+		}
 	}
 
-	//Start the server
-	err := router.StartProxyService()
 	return err
 }
 

mod/dynamicproxy/typedef.go

@@ -22,13 +22,14 @@ type ProxyHandler struct {
 }
 
 type RouterOption struct {
-	HostUUID           string
-	Port               int
-	UseTls             bool
-	ForceHttpsRedirect bool
+	HostUUID           string //The UUID of Zoraxy, use for heading mod
+	Port               int    //Incoming port
+	UseTls             bool   //Use TLS to serve incoming requsts
+	ForceTLSLatest     bool   //Force TLS1.2 or above
+	ForceHttpsRedirect bool   //Force redirection of http to https endpoint
 	TlsManager         *tlscert.Manager
 	RedirectRuleTable  *redirection.RuleTable
-	GeodbStore         *geodb.Store
+	GeodbStore         *geodb.Store //GeoIP blacklist and whitelist
 	StatisticCollector *statistic.Collector
 }
 

reverseproxy.go

@@ -38,6 +38,14 @@ func ReverseProxtInit() {
 		log.Println("TLS mode disabled. Serving proxy request with plain http")
 	}
 
+	forceLatestTLSVersion := false
+	sysdb.Read("settings", "forceLatestTLS", &forceLatestTLSVersion)
+	if forceLatestTLSVersion {
+		log.Println("Force latest TLS mode enabled. Minimum TLS LS version is set to v1.2")
+	} else {
+		log.Println("Force latest TLS mode disabled. Minimum TLS version is set to v1.0")
+	}
+
 	forceHttpsRedirect := false
 	sysdb.Read("settings", "redirect", &forceHttpsRedirect)
 	if forceHttpsRedirect {
@@ -50,6 +58,7 @@ func ReverseProxtInit() {
 		HostUUID:           nodeUUID,
 		Port:               inboundPort,
 		UseTls:             useTls,
+		ForceTLSLatest:     forceLatestTLSVersion,
 		ForceHttpsRedirect: forceHttpsRedirect,
 		TlsManager:         tlsCertManager,
 		RedirectRuleTable:  redirectTable,

web/components/status.html

@@ -72,7 +72,13 @@
         <label>Use TLS to serve proxy request</label>
     </div>
     <br>
-    <div id="redirect" class="ui toggle notloopbackOnly checkbox" style="margin-top: 0.6em;">
+    <div id="tlsMinVer" class="ui toggle notloopbackOnly tlsEnabledOnly checkbox" style="margin-top: 0.6em;">
+        <input type="checkbox">
+        <label>Force TLS v1.2 or above<br>
+        <small>(Not compatible with legacy browsers)</small></label>
+    </div>
+    <br>
+    <div id="redirect" class="ui toggle notloopbackOnly tlsEnabledOnly checkbox" style="margin-top: 0.6em;">
         <input type="checkbox">
         <label>Force redirect HTTP request to HTTPS<br>
             <small>(Only apply when listening port is not 80)</small></label>
@@ -340,21 +346,50 @@
     }
     initHTTPtoHTTPSRedirectSetting();
 
+    function initTlsVersionSetting(){
+        $.get("/api/cert/tlsRequireLatest", function(data){
+            if (data == true){
+                $("#tlsMinVer").checkbox("set checked");
+            }else{
+                $("#tlsMinVer").checkbox("set unchecked");
+            }
+
+            //Bind events to the checkbox
+            $("#tlsMinVer").find("input").on("change", function(){
+                let thisValue = $("#tlsMinVer").checkbox("is checked");
+                $.ajax({
+                    url: "/api/cert/tlsRequireLatest",
+                    data: {"set": thisValue},
+                    success: function(data){
+                        if (data.error != undefined){
+                            msgbox(data.error, false, 5000);
+                        }else{
+                            msgbox("TLS Version Setting Updated");
+                        }
+                    }
+                })
+            });
+        });
+        
+    }
+    initTlsVersionSetting();
+
     function initTlsSetting(){
         $.get("/api/cert/tls", function(data){
             if (data == true){
                 $("#tls").checkbox("set checked");
             }else{
-                $("#redirect").addClass('disabled');
+                $(".tlsEnabledOnly").addClass('disabled');
+                $(".tlsEnabledOnly").addClass('disabled');
             }
 
             //Initiate the input listener on the checkbox
             $("#tls").find("input").on("change", function(){
                 let thisValue = $("#tls").checkbox("is checked");
                 if (thisValue){
-                    $("#redirect").removeClass('disabled');
+                    $(".tlsEnabledOnly").removeClass('disabled');
                 }else{
-                    $("#redirect").addClass('disabled');
+                    $(".tlsEnabledOnly").addClass('disabled');
                 }
                 $.ajax({
                     url: "/api/cert/tls",